On November 11, 2020, the European Data Protection Board (EDPB) published its long-awaited guidance on what parties to international data transfers should be doing to perform such transfers in a manner compliant with the Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) in light of the European Court of Justice’s (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II).
Unfortunately, the draft guidelines provide no panacea for companies engaged in international data transfers of personal data from the EEA to third countries. Instead, organizations face 55 pages of guidance that provide few workable solutions for international data transferors—apart from a lengthy protocol for conducting risk assessments. READ MORE